f0a7b44e504644e7c5ffda139ee373c13da41703d91bf38e33bb5323c512b4b9

Analysis

max time kernel
142s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 02:21

Target

f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe
Size

744KB
MD5

f4d42c9b83b6f7e3c8d1e2ff96b897c1
SHA1

1cea4fff0af19daa401e740bea0e6b02b0b0158b
SHA256

f0a7b44e504644e7c5ffda139ee373c13da41703d91bf38e33bb5323c512b4b9
SHA512

6326ec8a07ec857b70114d9396d7ac253ebfccd56459c1525cf8844ae653bf5694cb309650bce08f58bec9ea00201a9a79e4a2185b7a5fe21a95fd732e67ccba
SSDEEP

12288:ji8tXVp5ApeNvTy/q5IsOha7HYx8k0/2YLLMt6AZp5:ji8pRApeNf5Sa7HYxBqLQtZZv

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2636	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2052	wWw.HeiKe.Hk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\wWw.HeiKe.Hk.exe	f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe
File created	C:\Windows\61642520.BAT	f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe
File created	C:\Windows\wWw.HeiKe.Hk.exe	f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe
Token: SeDebugPrivilege	2052	wWw.HeiKe.Hk.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2052	wWw.HeiKe.Hk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2640	2052	wWw.HeiKe.Hk.exe	29
PID 2052 wrote to memory of 2640	2052	wWw.HeiKe.Hk.exe	29
PID 2052 wrote to memory of 2640	2052	wWw.HeiKe.Hk.exe	29
PID 2052 wrote to memory of 2640	2052	wWw.HeiKe.Hk.exe	29
PID 1672 wrote to memory of 2636	1672	f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe	30
PID 1672 wrote to memory of 2636	1672	f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe	30
PID 1672 wrote to memory of 2636	1672	f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe	30
PID 1672 wrote to memory of 2636	1672	f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\61642520.BAT
  2⤵
  - Deletes itself
  PID:2636

C:\Windows\wWw.HeiKe.Hk.exe
C:\Windows\wWw.HeiKe.Hk.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2640

C:\Windows\61642520.BAT

Filesize
218B

MD5
8e6282cabce7531c942f71cd6e268ab3

SHA1
025d1049607f3dac1e5d3994806c67a85d145c41

SHA256
48c088aa10c109bdda94bc429b58d0edc56c7db9760006821172e66886749669

SHA512
aad18328ecf2116cc54fe5ea1f2caebee4f1cd1fcf1d498d39fa81f2f21ee51cc805bf238a7e63b32d49926ffc269258cff0362ee90e3e9e5ed5664f6b0a6f1d

Download Submit
C:\Windows\wWw.HeiKe.Hk.exe

Filesize
744KB

MD5
f4d42c9b83b6f7e3c8d1e2ff96b897c1

SHA1
1cea4fff0af19daa401e740bea0e6b02b0b0158b

SHA256
f0a7b44e504644e7c5ffda139ee373c13da41703d91bf38e33bb5323c512b4b9

SHA512
6326ec8a07ec857b70114d9396d7ac253ebfccd56459c1525cf8844ae653bf5694cb309650bce08f58bec9ea00201a9a79e4a2185b7a5fe21a95fd732e67ccba

Download Submit
memory/1672-0-0x0000000000400000-0x00000000004C3058-memory.dmp

Filesize
780KB

Download
memory/1672-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1672-15-0x0000000000400000-0x00000000004C3058-memory.dmp

Filesize
780KB

Download
memory/2052-5-0x0000000000400000-0x00000000004C3058-memory.dmp

Filesize
780KB

Download
memory/2052-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2052-17-0x0000000000400000-0x00000000004C3058-memory.dmp

Filesize
780KB

Download
memory/2052-19-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download